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Aims/Motivation 


e Data-structure with aliasing pointers 
e Get multiple non-aliasing mutable references 
e Verify functional correctness properties. 


Multiple mutable references 


— Mutable Reference 
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Multiple mutable references 


—- Mutable Reference 


10GE® 


GhostPtrToken’s API has specifications that rely on a verifier to check for safety 


Verification Tool Requirements 


This work isn't specific to a tool/methodology, but needs 


e Support for mutable references (in structs, behind other references, etc.) 
e Support for logical maps (e.g. smitlib theory of Arrays) 
e Some notion of equality for the data stored in the GhostPtrToken 


| used Creusot as it had the best support for these features so far 


Note: The examples following require extra assert statements to help with 
extensionality axioms; elided here for presentation. 


ptr_to_box/ptr_from_box 


let mut x: GhostPtrToken<_> = _; —> Box 
eens > Raw Pointer 


—- GhostPtrToken Ownership 
ene + Dangling Raw Pointer 
—-+ Mutable Reference 


ptr_to_box/ptr_from_box 


let mut x: GhostPtrToken<_> = _; 
let b = ptr_to_box(ptr1, x); 
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ptr_to_box/ptr_from_box 


let mut x: GhostPtrToken<_> = _; — + Box 


let b= ptr.to_box(ptrl, x)p 0000 ka > Raw Pointer 
let ptr3 = ptr_from_box(ptr3, x); 
—- GhostPtrToken Ownership 


ptr3 |. | Seeee + Dangling Raw Pointer 
! —-> Mutable Reference 


ptrt:| | | 


ptr_as_mut2 


let mut x: GhostPtrToken<_> 


ptri:| | | 


ptr2:| | | 
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ptr_as_ mut2 


let mut y = &mut Xp > Raw Pointer 


let mut x: GhostPtrToken<_> = _; — + Box 


—- GhostPtrToken Ownership 
Dangling Raw Pointer 
Mutable Reference 


ptri:| | | ptr2:| | | 


ptr_as_ mut2 


let mut x: GhostPtrToken<_> = _; 
let mut y = &mut x; 
let r1 = ptr_as_mut2(ptr1, &mut y); 


ri: 


ptr1: Ct 


ptr2:| | | 
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Raw Pointer 
GhostPtrToken Ownership 
Dangling Raw Pointer 
Mutable Reference 


ptr_as_mut2 


let 
let 
let 
let 


mut x: GhostPtrToken<_> = _; 
mut y = &mut x; 


ri 
r2 


ptr_as_mut2(ptr1, &mut y); 
ptr_as_mut2(ptr2, &mut y); 


ri: 


ptri:| | | 


ptr2:| | | 


Box 
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ptr_as_ mut2 


let mut x: GhostPtrToken<_> = _; 
let mut y = &mut x; 
let r1 = ptr_as_mut2(ptr1, &mut y); 
let r2 = ptr_as_mut2(ptr2, &mut y); 
// expire lifetime 


ptr: Ct 


ptr2:| | | 


Box 

Raw Pointer 
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Linked List Example (Definition) 


pub struct Node<T> { 
pub data: T, 
pub next: *const Node<T>, 


} 


pub struct LinkedList<T> { 
head: *const Node<T>, 
tail: *const Node<T>, 


Physical Layout 


Linked List Example (Definition) 


pub struct Node<T> { 
pub data: T, 
pub next: *const Nodes<T>, 


} 


pub struct LinkedList<T> { 
head: *const Node<T>, 
tail: *const Node<T>, 
token: GhostPtrToken<Node<T>>, 


Physical Layout 


Linked List Example (Definition) 


pub struct Node<T> { 
pub data: T, 
pub next: *const Nodes<T>, 


} 


pub struct LinkedList<T> { 
head: *const Node<T>, 
tail: *const Node<T>, 
token: GhostPtrToken<Node<T>>, 


Ownership Model 


Linked List Example (dequeue) 


pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 
None 
} else { 
let node = *unsafe{Box: :from_raw(self .head) }; 
self .head = node.next; 
Some (node. data) 


Linked List Example (dequeue) 


#[requires(??7?) ] 
pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 
None 
} else { 
let node = *ptr_to_box(self.head, &mut self .token) ; 
self .head = node.next; 
Some (node. data) 


Linked List Example (dequeue) 


#[requires(self.head.is_null() || self.token.contains(self.head) ) ] 
pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 
None 
} else { 
let node = *ptr_to_box(self.head, &mut self.token); 
self .head = node.next; 
Some (node. data) 


Linked List Example (Invariant) 


: e Sequence of nodes from head to tail 
' e@ Tail points to valid node whose next is null 


Linked List Example (dequeue) 


#[ requires((*self) .invariant()) ] 

#[ensures((‘self).invariant()) ] 

pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 


None 

} else { 
let node = *ptr_to_box(self.head, &mut self.token) ; 
self.head = node.next; “alk 


Some (node. data) 


Linked List Example (dequeue) 


#[ requires((*self) .invariant()) ] 

#[ensures((‘self).invariant()) ] 

pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 


None 
} else { 
let node = *ptr_to_box(self.head, &mut self.token) ; 
self.head = node.next; eal 
Some (node. data) 
\ node 


Linked List Example (dequeue) 


#[ requires((*self) .invariant()) ] 

#[ensures((‘self).invariant()) ] 

pub fn dequeue(&mut self) -> Option<T> { 
if self.head.is_null() { 


None 
} else { 
let node = *ptr_to_box(self.head, &mut self.token) ; 
self.head = node.next; “alk 
Some (node. data) 
\ node 


Linked List Example (IterMut Definition) 


pub struct IterMut<'a, T> { 
curr: *const Node<T>, 
token: &' a mut GhostPtrToken<Node<T>>, 
tail: Ghost<*const Node<T>>, 


} 


#[ predicate] 
pub fn invariant(self) -> bool { 
LinkedList{head: self.curr, tail: *self.tail, 
token: *self.token}.invariant() 


Linked List Example (IterMut next) 


#[ requires((*self) .invariant()) ] 
#[ensures((‘self).invariant() ) ] 
fn next(&mut self) -> Option<&'a mut T> { 
if self.curr.is_null() { 
None 
} else { 


let node = unsafe{&mut *self.curr}; 


self.curr = node.next; 
Some(&mut node.data) 


Linked List Example (IterMut next) 


#[ requires((*self) .invariant()) ] 
#[ensures((‘self).invariant()) ] 
fn next(&mut self) -> Option<&'a mut T> { 
if self.curr.is_null() { 
None 
} else { 
let node = ptr_as_mut2(self.curr, &mut self .token) ; 
self.curr = node.next; 
Some(&mut node.data) 


Linked List Example (iter_mut) 


#[ requires((*self) .invariant()) ] 
#[ensures(result.invariant()) ] 
#[ensures( (self) .invariant()) ] 
pub fn iter_mut(&mut self) -> IterMut<' 
IterMut{curr: self .head, 
token: &mut self .token, 
tail: ghost! (self.tail) } 


—J) 


T> { 


Linked List Example (IterMut Definition take 2) 


pub struct IterMut<'a, T> { 
curr: *const Node<T>, 
token: &' a mut GhostPtrToken<Node<T>>, 
tail: Ghost<*const Node<T>>, 


} 


#[ predicate] 
pub fn invariant(self) -> bool { 

LinkedList{head: self.curr, tail: *self.tail, token: 
*self.token}.invariant() 


#[ predicate] 
pub fn invariant_fin(self) -> bool { 

LinkedList{head: self.curr, tail: “self.tail, token: 
*self .token}.invariant() 


Linked List Example (iter_mult) 


#[ requires((*self) .invariant()) ] 
#[ensures(result.invariant() ) ] 
#[ requires_on_expiry(result.fin_invariant() ) ] 
#[ensures((‘self).invariant()) ] 
pub fn iter_mut(&mut self) -> IterMut<'_, T> { 
IterMut{curr: self.head, 
token: &mut self.token, 
tail: ghost! (self.tail) } 


Linked List Example (iter_mult) 


#[ requires((*self) .invariant()) ] 
#[ensures(result.invariant()) ] 


#[ensures(result.fin_invariant() = (‘self).invariant()) ] 
pub fn iter_mut(&mut self) -> IterMut<'_, T> { 
IterMut{curr: self.head, 
token: &mut self.token, 
tail: ghost! (self.tail) } 


Linked List Example (IterMut next) 


#[ requires((*self) .invariant()) ] 
#[ensures((‘self).invariant()) ] 
#[ensures((‘self).fin_invariant() = (*self).fin_invariant())] 
fn next(&mut self) -> Option<&'a mut T> { 
if self.curr.is_null() { 
None 
} else { 
let node = ptr_as_mut2(self.curr, &mut self.token) ; 
self .curr = node.next; 
Some(&mut node.data) 


Verus Comparison 


e Verus' PermData could provide a part of what GhostPtrToken achieves 
o provided some suitable Verus extension to mutable data / references 


e One could build a Verus version of the library with more granularity, e.g. 


struct GhostPtrToken<T>(Seq<PermData<T>>) ; 


e Such an API could also allow replacing ‘PermData’ with some other resource 


e Exploring this further in Verus requires support for mutable references / data 


Future Work 


e Generalize to GhostPtrloken<T> to Seq<PermData<T>> 
o Special double mutable reference handling and merging would end up as methods on Seq so 
difference resources could use them for free 
o This would make it easier to support for example, an equivalent ZST for storing access to 


UnsafeCells instead of raw pointers 
e Introduce GhostRef<’a, GhostPtrloken<T>> replace &’a GhostPtrloken<T> 


o Same for &'a mut GhostPtrloken<T> 
o In Rust references to ZSTs have an non-zero size so having zero sized equivalents could save 


space 


Summary 


e Implemented API with specifications using Creusot 
o  https://github.com/dewert99/ghostptrtoken_demo 
e Implemented varied data structures with GhostPtrToken 
o _Linked List with tail pointer 
o SkipList (single threaded) — —>{ wit | 
o UnionFind with path compression ia ol 0 = 
https://en.wikipedia.org/wiki/Skip_list 
e 


Formalized and verified specs for GhostPtrToken methods in RustHornBelt 
(Matsushita et al. 2022) 


36 


GhostPtrToken API 


fn ptr_from_box<T>(val: Box<T>, t: &mut GhostPtrToken<T>) -> *const T 
fn ptr_to_box<T>(ptr: *const T, t: &mut GhostPtrToken<T>) -> Box<T> 
fn ptr_as_ref<T>(ptr: *const T, t: &GhostPtrToken<T>) -> &T 

fn ptr_as_mut<T>(ptr: *const T, t: &mut GhostPtrToken<T>) -> &mut T 
fn merge<T>(t: &mut GhostPtrToken<T>, other: GhostPtrToken<T>) 


fn ptr_as_mut2<'a, T>(ptr: *const T, t: &mut &'a mut GhostPtrToken<T>) -> 
&' a mut T 


GhostPtrToken<T> can be thought of as similar to Map<*const T, T> 37 


